Are you ready for the future of cybersecurity? In collaboration with this month’s National Cyber Security Awareness Month and the European CyberSecMonth, we wanted to look at some predictions for the future of the cybersecurity market.
The internet is always evolving and you, as a business or as a consumer, need to be ready to adapt to the new technologies, regulations and strategies that will help to develop a safer and more secure internet.
We spoke to some of the most knowledgeable people at GlobalSign to ask them where they thought the future of cybersecurity was headed. Can you say you are ready for these predictions should they come true?
Paul Van Brouwershaven – Technology Solutions Director
The recent improvements of new ciphers and the implementations of HTTP2 and TLS 1.3 have made security more attractive for site owners than ever before, since now besides security, it also brings performance, which has shown better search results, advertisements and sales revenues for enterprises.
Browsers will push harder for security by warning users about unencrypted content what will make users more security aware. This will result in HTTPs connections becoming the de facto standard on the internet and unencrypted (http) connections will start to disappear slowly.
In strong contrast, there is email, mobile apps and IoT, where communication is much more hidden for the end-users and it’s still hard to verify the authenticity, integrity and security of the communication. I predict that we will see more large scale security incidents in IoT where industrial processes, cars or homes are at risk because the lack of encryption, authentication and integrity checks.
Encryption by default is something I see as a good thing. While I predict that governments will be concerned about their abilities to monitor the internet to ‘fight against terrorism’, these concerns will lead them to create new legislation which will have impact on our privacy but more importantly, it will be impossible to guarantee that only a government has access to your data or that the data hasn’t been modified (like malware has been added).
Zachary Short – Principal Software Architect
AI and Machine Learning will play an increasing role in cybersecurity going forward.
Rather than being purpose built, security will become more organic and autonomous like your own immune system. Security will continually evolve in an ever-changing cyber-environment.
Continual training and adaptation will allow systems to not only recognize new threats but respond to them.
Anomaly detection in particular will become more pervasive and IoT ecosystems will rely on this as a line of defense for trusting data from peers.
Algorithms processing sensor data will not implicitly trust a single sensor node, but will “look” to surrounding nodes for consensus – think sensor fusion, strength in numbers and the power of redundancy.
Anomaly detection is already in use to detect fraudulent credit card transactions and machine learning algorithms continue to evolve to provide better spam and malware detection.
Nisarg Desai – Product Manager IoT
While consumer IoT will be in the news, the true value of IoT will be in its use in the industrial sector. There, the critical nature of assets and the consequences of poor security will lead to the rapid adoption of a variety of security solutions.
Over time, these will mature and be upgraded or replaced by standards based solutions, one of which is PKI. Governing bodies, forward-thinking organizations, as well as a more educated customer-base will push for and get a basic level of security in every IoT product or service. Over time, security will be a necessity and thus will become the silent ingredient of every solution – after all, the most critical asset of any IoT systems are humans.
Threat vectors that currently target traditional IT endpoints will be re-engineered to point towards OT assets. This will lead to a political convergence of power centers within an organizational structure and finally a merging of many IT and OT functions as one. This will lead even further into the implementation of unified solutions that focus on protecting asset value versus simply the system in which they reside.
We will also see novel uses of pre-existing technology to combat the hitherto undiscovered threats arising out of new technology use cases. Security will become implicit and implemented at a platform or ecosystem level, as well as be propagated out to everything it touches.
Simon Wood – Chief Technology Officer
Today we face an unprecedented rate of change, the rise of open access, interoperability, phenomenal increases in compute power, decreases in response time and unheard of transaction rates. We have engineered the perfect storm.
In as much as these advances can be directed and targeted to systems of our choosing, when it comes to security, it will always be ourselves who are the weak link in the chain.
Cybersecurity itself has been and will always be, quite literally, an arms race; nation states, organized crime syndicates, disgruntled individuals attacking nation states, enterprises, high profile organizations with the mass populous, both human and device, ready for weaponization at any time.
Ahead of us, it’s a Pandora’s Box of superlatives! From the board rooms to the shop floor, the impact of the unfolding landscape will both drive and be driven by continually evolving threats of growing sophistication.
No one technology, system or solution will be king. Cybersecurity must be both a ‘first class citizen’ and ‘by design’ and considered and applied holistically to people, processes, systems, devices and environments.
The tangible future of cybersecurity? Beyond certainty it will see an increase in mindshare and budget and increasingly pervade into all that we do.
Lancen LaChance – VP of Product Management
IoT standards will diverge into silos before they converge
As IoT takes off, many solutions will follow the path of proprietary or closed system approaches for security implementations in attempts, either to capture value by locking in solutions or for path of least resistance.
However, as adoption accelerates and ecosystems grow, customers will show greater interest in standards based solution as interoperability and compatibility with a broader ecosystem becomes an important driver. There will be a similar trend in trust models for IoT ecosystems where first generation solutions revolve around a closed trust model, but as partners and connected devices diversify, practitioners will move towards broader trust models around identity provisioning and issuance relying on trusted third-parties and systems to maintain strong trust relationships.
Additional IoT hacks in critical infrastructure and automotive drive urgency in security
Implementation of security for cyber-physical systems will be accelerated by successful attacks in critical infrastructure and automotive use cases. This will, in turn, raise awareness and increase potential legislation to mandate security assurance by OEM and system operators.
Growth of decentralized trust mechanisms like blockchain will make progress but also encounter issues with use case implementations. It will remain in the periphery for several years until the innovators and early adopters stretch the technology through its growing pains in both its application in environments, as well as with the education of potential consumers.
Richard Hancock – Data Protection Officer - West
The ratification of the General Data Protection Regulations has affected the biggest shift in cultural awareness of our personal identity in modern history. As our defenses against identity theft and fraud evolve and grow, hackers are becoming smarter and using the very same technology against us, most noteworthy being the likes of ransomware, cryptolocker etc.
Over the next few years, cybersecurity is expected to see a much greater awareness amongst the general public with things like personal data and how this data is used by organizations. The new laws put all the onus onto the individual to give their consent for that information to be used and stored and this alone will alert you to this shift compared to the current ways of having to uncheck that tick box that we all know about, but seldom read.
New breach penalties of seismic proportions will incentivize organizations to put time, effort and, crucially, money that has never before needed to be budgeted for, into new measures, processes and equipment that will prevent such loss. Companies have to re-think system design and implementation to have privacy at the very core of the concept and given this, it is believed that we will see very different eCommerce platforms to those of today. Entities will want to offload the risk as much as possible and the easiest way to do this is to not hold the data in the first place. Finance houses will no longer see database encryption as optional and you would expect the industry leaders to drive these best practices forward to make it a standard.
The collapse of Safe Harbor instilled fear in most European citizens. Suddenly their data that was living in US data centers was no longer protected by this agreement and therefore subject to US surveillance laws. 2016 saw cloud providers reacted to this by starting to open EU based data centers in an effort to keep their customers happy and comply with legal regulations and you would suggest that this approach continues to be adopted by an ever growing number of suppliers over the coming years. With the uncertainty of Safe Harbor’s replacement, the Privacy Shield, continuing into 2017 after the Article 29 Working Group rejected it, both corporates and individuals are keen to know where their information is stored.
We are on the cusp of seeing the end of leaving confidential records on the train or in the taxi for example, but we’re also coming to the end of breaches hitting the mainstream headlines. Of course, the hackers will continue to be inventive in their ways to infiltrate our data but the progress in computing power, even at the consumer level, means ever increasing complexity in encryption algorithms and thus the good guys staying ahead of the bad guys.
We’re all going to witness this Personal Identifiable Information (PII) revolution and we should embrace it with both hands to give us the protection that is so badly needed in the decades to come, where the digital form will dominate even more than it already does and those 1’s and 0’s become more valuable than anything on paper by 100 fold or more.
Lila Kee – Chief Product Officer
There will be a backlash among both enterprise and consumers to security measures that are so stringent, productivity is hampered, or worse yet promote frustration and anxiety among users struggling to access information, resources and data needed to stay productive, engaged and satisfied with their online experiences.
Security vendors at the urging of government, industry and market pressures, will respond with less intrusive, yet still secure solutions. PKI as an underlining technology will play a key, under-the-cover role to transparent security offerings.
Ian Thomas - Head of Global Business Development IoT
The Industrial Internet will foster industry and government collaboration on global architecture standards that address cybersecurity concerns. We are starting to see this happen now with the collaboration between the Industrial Internet Consortium and Industrie 4.0, with the backing of the EU.
Governments will themselves gain expertise whilst also being a strategic customer for the IIoT. They will become better informed to ensure best practices and to commission technology that uses open standards, is interoperable and secure.
The 'security of things' will take center stage. With the convergence of OT and IT, we will have different security concerns to address, in particular human safety.
However, with increased confidence in security, there will be a move from on premise systems to cloud and fog models. While these IaaS IIoT solutions usage will grow, no single computing architecture or security standard will monopolize their delivery.
Ultimately, a secure IIoT will fuel innovation and business model disruption. We will see the emergence of 'the outcome economy' where products and services are sold based upon the business value they can deliver.
Jun Hosoi – Product Manager S/MIME and Authentication
I believe “empty-handed” authentication will become the norm. Users won’t need to have a smart card, a one-time password device, smartphone call back or a password and ID to log into devices and services.
Instead, when users log into their PC, the camera on their PC will detect and identify they are the PC owner through facial recognition.
And when someone buys something at a shop in their fitness club for example, or makes a withdrawal from their bank account, they will just need to put their finger on a scanner device. The device will read their finger vein pattern (or fingerprint) and identify them, then they can continue to access the service or purchase an item.
When someone uses an internet service, the scanner will link their identity information with their X.509 client certificate and then a server-side service can identify the user strongly. In this scenario, the user’s private key is stored on a Hosted HSM.
The idea is that we are moving into a future where we will not need to remember anything, or have anything in order to access services or purchase items. Soon we will be able to do everything “empty-handed”.
It looks like our team here believe that we have a lot of changes coming. From increased regulation to an appetite for IoT, the future of cybersecurity doesn’t seem all that far away. Consumers will become more demanding about their data and businesses will have to react, making their lives easier, whilst trying to keep the data that is important secure enough from the hackers.
I am sure we can’t be the only one’s making predictions for the future of cybersecurity, data and privacy? Have you got a prediction? We would love to hear from you. Tell us what you think is in store on Twitter, or comment on this blog post.